!48 Fix CVE-2024-24786

From: @northgarden Reviewed-by: @duyiwei7w Signed-off-by: @duyiwei7w
2024-04-01 08:46:12 +00:00 · 2024-04-01 08:46:12 +00:00 · 62b1677bb1
commit 62b1677bb1
parent afda6d3ed3 5139cbe234
2 changed files with 67 additions and 1 deletions
--- a/0007-fix-CVE-2024-24786.patch
+++ b/0007-fix-CVE-2024-24786.patch
@ -0,0 +1,59 @@
 From 171172b7a8a24104415f1d461da7a839dd9933a3 Mon Sep 17 00:00:00 2001
 From: bwzhang <zhangbowei@kylinos.cn>
 Date: Mon, 25 Mar 2024 10:47:11 +0800
 Subject: [PATCH] fix CVE-2024-24786
 encoding/protojson, internal/encoding/json: handle missing object values
 In internal/encoding/json, report an error when encountering a }
 when we are expecting an object field value. For example, the input
 now correctly results in an error at the closing } token.
 In encoding/protojson, check for an unexpected EOF token in
 skipJSONValue. This is redundant with the check in internal/encoding/json,
 but adds a bit more defense against any other similar bugs that
 might exist.
 Fixes CVE-2024-24786
 Change-Id: I03d52512acb5091c8549e31ca74541d57e56c99d
 Reviewed-on: https://go-review.googlesource.com/c/protobuf/+/569356
 TryBot-Bypass: Damien Neil <dneil@google.com>
 Reviewed-by: Roland Shoemaker <roland@golang.org>
 Commit-Queue: Damien Neil <dneil@google.com>
 ---
 .../protobuf/encoding/protojson/well_known_types.go           | 4 ++++
 .../protobuf/internal/encoding/json/decode.go                 | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)
 diff --git a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
 index 72924a9..d3825ba 100644
 --- a/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
 +++ b/vendor/google.golang.org/protobuf/encoding/protojson/well_known_types.go
@@ -328,6 +328,10 @@ func (d decoder) skipJSONValue() error {
 				if err := d.skipJSONValue(); err != nil {
 					return err
 				}
 +			case json.EOF:
 +				// This can only happen if there's a bug in Decoder.Read.
 +				// Avoid an infinite loop if this does happen.
 +				return errors.New("unexpected EOF")
 			}
 		}
 diff --git a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
 index b13fd29..b2be4e8 100644
 --- a/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
 +++ b/vendor/google.golang.org/protobuf/internal/encoding/json/decode.go
@@ -121,7 +121,7 @@ func (d *Decoder) Read() (Token, error) {
 	case ObjectClose:
 		if len(d.openStack) == 0 ||
 -			d.lastToken.kind == comma ||
 +			d.lastToken.kind&(Name|comma) != 0 ||
 			d.openStack[len(d.openStack)-1] != ObjectOpen {
 			return Token{}, d.newSyntaxError(tok.pos, unexpectedFmt, tok.RawString())
 		}
 -- 
 2.20.1
--- a/cri-o.spec
+++ b/cri-o.spec
@ -21,7 +21,7 @@
 Name:           cri-o
 Version:        1.23.2
 Epoch:          0
-Release:        8
+Release:        9
 Summary:        Open Container Initiative-based implementation of Kubernetes Container Runtime Interface
 License:        ASL 2.0
 URL:            https://github.com/cri-o/cri-o
@ -35,6 +35,7 @@ Patch0003:      0003-fix-CVE-2022-0811.patch
 Patch0004:      0004-fix-CVE-2022-1708.patch
 Patch0005:      0005-fix-CVE-2023-39325.patch
 Patch0006:      0006-fix-CVE-2022-41723.patch
 Patch0007:      0007-fix-CVE-2024-24786.patch
 ExclusiveArch:  %{?go_arches:%{go_arches}}%{!?go_arches:%{ix86} x86_64 aarch64 %{arm}}
 BuildRequires:  golang >= 1.17, git-core, glib2-devel, glibc-static, openEuler-rpm-config
@ -165,6 +166,12 @@ install -dp %{buildroot}%{_sharedstatedir}/containers
 %{_datadir}/zsh/site-functions/_%{service_name}*
 %changelog
 * Mon Apr 1 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.23.2-9
 - Type:bugfix
 - CVE:NA
 - SUG:NA
 - DESC: fix CVE-2024-24786
 * Mon Apr 1 2024 zhangbowei <zhangbowei@kylinos.cn> - 0:1.23.2-8
 - Type:bugfix
 - CVE:NA